From nobody Sun May 24 21:37:37 2026 Received: from mail-pj1-f45.google.com (mail-pj1-f45.google.com [209.85.216.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8417F3C3C1A for ; Thu, 21 May 2026 08:37:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.45 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779352684; cv=none; b=gAG+esFeogSbJjl266moSs5tZAgZUbZYw0+6T/2qRLzuCNRnrwMLPC45PuGOk1uYOqEOLwFh7mG2G0K8OqQpW+DL75JFGS/8+Naw9Cig7iryQLTzeBTb26qcsyI/3kSWKX1fGW6VqdJp282ZYRZ0jCt8+bo+rUhFrwCZujLOLyo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779352684; c=relaxed/simple; bh=uClwDwQ9aMBOn1j7vC5jSbaTUBkTAZEZk5MPWjNbpow=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=LtTntQWbn9vZwhmOk8U3iA2mdOTtt3lddjV/xqxLCFC5WON5bkqrdh+b2T6WaURaKJORoa4qj7VZMiNjS8E7H4xExhxvP1YmA9EKt/AaLMy+/Vv9bzkWaOJVc+Ze3RFxntUmNXpad4UmGiaK42qaJsvEJZDHHfygMwgOlX4b6jc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=JDso3xmV; arc=none smtp.client-ip=209.85.216.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="JDso3xmV" Received: by mail-pj1-f45.google.com with SMTP id 98e67ed59e1d1-368ea877adbso796941a91.3 for ; Thu, 21 May 2026 01:37:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779352675; x=1779957475; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=sC1dlVSEJRn8MI2VFuxLlRNe963Fh6GRPhQWJKMRLww=; b=JDso3xmVZrl0P9qvnwAaH02BRgcD6UwMXoMED+ER7opASli1xVwWalfIBxsp7I3yg6 oeaLxe7mhIOn+Pq4KO3S83nVDTgMWWMAAao3DwTtuX7Vj0vCFYk/6eOpkGZo9pKS2Ybc bAV56+l5wxX9b7gyAOFjEIaYSy/8hg4MbYZMjxmPWKbQEcabHdYojJKGEe/UJrVoiOby wQjhCTo9XaY8NiSuchnEAVbrwYcbInsH54xVOGhksvV5t8ZHFIZwmieIBS375TXLQ6Zd 87xMQnJ1VrpqotuhIdNPEY4yp0a0jIWTcaoyj73EFLTjbUPUvMRxDKJxHdyC+4nvL2/e HyXw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779352675; x=1779957475; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=sC1dlVSEJRn8MI2VFuxLlRNe963Fh6GRPhQWJKMRLww=; b=Zz1TkHaDOm9M9fq7KB4c9+aX0ac4QmFwAPN5AtHsorcMWPuthU0hQLqFBbKHqaIuJ5 2trFHDak7prfRcGcw33fQC++TARZljRDjtYCWhHbX50vxkOvK3O6aibQbUEekBrFQg28 3r9NQH5yakII+sfLefm+hDik9m6mxKsQYHk4/uDDC4V4yTPB86CPrqIPidAKuW3ROSr7 2cXbS86MIuD/uhz95N/LKoJPHlxIa7dEz3E34B4JVa1nL44f2fqz9LuSOcbpjqZGo5lB gyX6GXysBLB2fsJWZC5BHxxPk01KghFQCZkv+sD+jDg816TVA6S9xAn8U6V0N5GTgJay b5+w== X-Forwarded-Encrypted: i=1; AFNElJ/aehEp2qxH5jULQiIxqqzsHxdWE27fTXJEnQ3+bWosix37pzwIGXnQpKsNGi3mJ/cFNx04okSWrwGB2SE=@vger.kernel.org X-Gm-Message-State: AOJu0YzBgO5kIuaGVRKb7mxuz/MeH6w1umzN92QiJl/9zqNiQqV1Tx+N v/uDcmHMsuSyPhUJiLrcpv3OQBrnBBFK5pthAK9mXnCpOgHDnWj/08dK X-Gm-Gg: Acq92OFL2gbY0ivGF4HhT+6qTmGm1YZINS59f37GcXGNnDK9GoTBWQmtv8vtwXZ6DM0 B00cXQGj2jPx3+aU9YVOA2evB7JYMIVr7sR68Bk7LIhVeUX6xwVljt7HRx75dfeI1sQtpIsu8nu OAbcshxAB3W7XwU9biVqcB+A3cctAdVqim4UIEFqHLIXcYjWQDPWz350p+28HFVi445xe3X6zu4 n465op3jdw6eFOk2wQHn+R2jIRXg43obPTNy3W0BDnyzugqHroJzi6CpqisPKdIuyqiUqtZfaxl vlf1biQ58FJM6EMQxaISbCcDIcIqVH7Ha6v7kxLadFhXlWzuDi8Zd0wz9kNW3X1i1ovvh5mXNKq 2xKKvvJQdWYY2WslYtrhVrpuW6IMvymavqBzLm3TzdxdCXvznqlMZJL6nb0VwzVpNzY2f3XuHd5 HAIRHShtnHrU1Qpqspnc9n1cCORmQV X-Received: by 2002:a17:90b:2551:b0:369:224d:8beb with SMTP id 98e67ed59e1d1-36a45c526d0mr1156488a91.7.1779352674862; Thu, 21 May 2026 01:37:54 -0700 (PDT) Received: from kali ([2402:e280:3d7c:a2:536a:b505:93f5:9d5d]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c82bb0626b2sm28046326a12.6.2026.05.21.01.37.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 21 May 2026 01:37:54 -0700 (PDT) From: Pavitra Jha To: antonio@openvpn.net Cc: sd@queasysnail.net, andrew+netdev@lunn.ch, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Pavitra Jha Subject: [PATCH] ovpn: fix peer refcount leak in TCP error paths Date: Thu, 21 May 2026 04:37:39 -0400 Message-ID: <20260521083739.65061-1-jhapavitra98@gmail.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" When either the TCP RX or TX error path calls ovpn_peer_hold() followed by schedule_work(&peer->tcp.defer_del_work), and the work item is already pending from the other path, schedule_work() returns false and the work runs only once. Since ovpn_tcp_peer_del_work() calls ovpn_peer_put() exactly once, the extra reference taken by the losing path is never dropped, leaking the peer object. The race window: CPU0 (strparser/RX error): CPU1 (tcp_tx_work/TX error): ovpn_peer_hold() <- refcnt+1 ovpn_peer_hold() <- refcnt+2 schedule_work() <- queued schedule_work() <- NO-OP (work already pending) ovpn_tcp_peer_del_work runs: ovpn_peer_del() ovpn_peer_put() <- refcnt+1 <- peer never freed Fix by checking the return value of schedule_work() in both paths and calling ovpn_peer_put() to drop the extra reference if the work was already pending. Fixes: a6a5e87b3ee4 ("ovpn: avoid sleep in atomic context in TCP RX error p= ath") Cc: stable@vger.kernel.org Signed-off-by: Pavitra Jha --- drivers/net/ovpn/tcp.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/drivers/net/ovpn/tcp.c b/drivers/net/ovpn/tcp.c index 5499c1572..d651ce85c 100644 --- a/drivers/net/ovpn/tcp.c +++ b/drivers/net/ovpn/tcp.c @@ -151,7 +151,8 @@ static void ovpn_tcp_rcv(struct strparser *strp, struct= sk_buff *skb) /* take reference for deferred peer deletion. should never fail */ if (WARN_ON(!ovpn_peer_hold(peer))) goto err_nopeer; - schedule_work(&peer->tcp.defer_del_work); + if (!schedule_work(&peer->tcp.defer_del_work)) + ovpn_peer_put(peer); dev_dstats_rx_dropped(peer->ovpn->dev); err_nopeer: kfree_skb(skb); @@ -282,8 +283,9 @@ static void ovpn_tcp_send_sock(struct ovpn_peer *peer, = struct sock *sk) /* in case of TCP error we can't recover the VPN * stream therefore we abort the connection */ - ovpn_peer_hold(peer); - schedule_work(&peer->tcp.defer_del_work); + if (ovpn_peer_hold(peer)) + if (!schedule_work(&peer->tcp.defer_del_work)) + ovpn_peer_put(peer); =20 /* we bail out immediately and keep tx_in_progress set * to true. This way we prevent more TX attempts --=20 2.53.0